You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Agustí <ag...@dosaiguas.net> on 2008/05/15 15:51:33 UTC

Call CXF Service over HTTPS

Dear All,

I can't find it in the docs.

How can I configure CXF's embedded Jetty to only accept connections over
HTTPS, but without the need of client certificates?

I mean, like the wsdl_first_https, but without the need of a client
certificate, I don't need to autheticate the client...

Thanks,

Agusti Dosaiguas

Re: Call CXF Service over HTTPS

Posted by Agustí Dosaiguas falcó <ag...@dosaiguas.net>.

Hi Dan,

Over Ubuntu Hardy:
$ java -version
java version "1.6.0_06"
Java(TM) SE Runtime Environment (build 1.6.0_06-b02)
Java HotSpot(TM) Client VM (build 10.0-b22, mixed mode, sharing)

Over Windows
 > java -version
java version "1.6.0_05"
Java(TM) SE Runtime Environment (build 1.6.0_05-b13)
Java HotSpot(TM) Client VM (build 10.0-b19, mixed mode, sharing)

It fails the same way on both platforms. Although without using a client 
certificate it works!

Thanks,

Agusti

En/na Daniel Kulp ha escrit:
>
> Which version of java 6 and on which platform?
>
> I believe all the samples in 2.1 were tested on java6 update 4 at one 
> point (I think on Windows, Sean?), but maybe something crept into the 
> code at the last minute or so that broke that sample.
>
> Dan
>
>
>
>
> On May 15, 2008, at 10:25 AM, Agustí wrote:
>
>> Dear All,
>>
>> Ok, I think that I finally found it.
>>
>> On wsdl_first_https I've modified this line in CherryServer.cxf:
>>
>> from: <sec:clientAuthentication want="true" required="true"/>
>> to:    <sec:clientAuthentication want="false" required="false"/>
>>
>> And in InsecureClient.cxf i've added this:
>>
>>    <http:tlsClientParameters disableCNCheck="true">
>>      <sec:trustManagers>
>>          <sec:keyStore type="JKS" password="password"
>>               file="certs/truststore.jks"/>
>>      </sec:trustManagers>
>>      <sec:cipherSuitesFilter>
>>        <!-- these filters ensure that a ciphersuite with
>>          export-suitable or null encryption is used,
>>          but exclude anonymous Diffie-Hellman key change as
>>          this is vulnerable to man-in-the-middle attacks -->
>>        <sec:include>.*_EXPORT_.*</sec:include>
>>        <sec:include>.*_EXPORT1024_.*</sec:include>
>>        <sec:include>.*_WITH_DES_.*</sec:include>
>>        <sec:include>.*_WITH_NULL_.*</sec:include>
>>        <sec:exclude>.*_DH_anon_.*</sec:exclude>
>>      </sec:cipherSuitesFilter>
>>    </http:tlsClientParameters>
>>   </http:conduit>
>>
>>    <bean id="cxf" class="org.apache.cxf.bus.CXFBusImpl">
>>    </bean>
>>
>> Now it works, without using a client certificate! (I only want to 
>> encrypt
>> the HTTP transport).
>>
>> On thing that I've found doing this test is that the wsdl_first_https
>> sample doesn't work using jdk 6, neither using CXF v2.0.6 nor using CXF
>> v2.1!
>>
>> Regards,
>>
>> Agusti Dosaiguas
>>
>> PS: Hope that this helps someone!
>>
>> On Thu, Maig 15, 2008 15:51, Agustí wrote:
>>> Dear All,
>>>
>>> I can't find it in the docs.
>>>
>>> How can I configure CXF's embedded Jetty to only accept connections 
>>> over
>>> HTTPS, but without the need of client certificates?
>>>
>>> I mean, like the wsdl_first_https, but without the need of a client
>>> certificate, I don't need to autheticate the client...
>>>
>>> Thanks,
>>>
>>> Agusti Dosaiguas
>>>
>>>
>>
>>
>
> ---
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
>
>
>
>

Re: Call CXF Service over HTTPS

Posted by Daniel Kulp <dk...@apache.org>.

Which version of java 6 and on which platform?

I believe all the samples in 2.1 were tested on java6 update 4 at one  
point (I think on Windows, Sean?), but maybe something crept into the  
code at the last minute or so that broke that sample.

Dan




On May 15, 2008, at 10:25 AM, Agustí wrote:

> Dear All,
>
> Ok, I think that I finally found it.
>
> On wsdl_first_https I've modified this line in CherryServer.cxf:
>
> from: <sec:clientAuthentication want="true" required="true"/>
> to:    <sec:clientAuthentication want="false" required="false"/>
>
> And in InsecureClient.cxf i've added this:
>
>    <http:tlsClientParameters disableCNCheck="true">
>      <sec:trustManagers>
>          <sec:keyStore type="JKS" password="password"
>               file="certs/truststore.jks"/>
>      </sec:trustManagers>
>      <sec:cipherSuitesFilter>
>        <!-- these filters ensure that a ciphersuite with
>          export-suitable or null encryption is used,
>          but exclude anonymous Diffie-Hellman key change as
>          this is vulnerable to man-in-the-middle attacks -->
>        <sec:include>.*_EXPORT_.*</sec:include>
>        <sec:include>.*_EXPORT1024_.*</sec:include>
>        <sec:include>.*_WITH_DES_.*</sec:include>
>        <sec:include>.*_WITH_NULL_.*</sec:include>
>        <sec:exclude>.*_DH_anon_.*</sec:exclude>
>      </sec:cipherSuitesFilter>
>    </http:tlsClientParameters>
>   </http:conduit>
>
>    <bean id="cxf" class="org.apache.cxf.bus.CXFBusImpl">
>    </bean>
>
> Now it works, without using a client certificate! (I only want to  
> encrypt
> the HTTP transport).
>
> On thing that I've found doing this test is that the wsdl_first_https
> sample doesn't work using jdk 6, neither using CXF v2.0.6 nor using  
> CXF
> v2.1!
>
> Regards,
>
> Agusti Dosaiguas
>
> PS: Hope that this helps someone!
>
> On Thu, Maig 15, 2008 15:51, Agustí wrote:
>> Dear All,
>>
>> I can't find it in the docs.
>>
>> How can I configure CXF's embedded Jetty to only accept connections  
>> over
>> HTTPS, but without the need of client certificates?
>>
>> I mean, like the wsdl_first_https, but without the need of a client
>> certificate, I don't need to autheticate the client...
>>
>> Thanks,
>>
>> Agusti Dosaiguas
>>
>>
>
>

---
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog

Re: Call CXF Service over HTTPS

Posted by Agustí <ag...@dosaiguas.net>.

Dear All,

Ok, I think that I finally found it.

On wsdl_first_https I've modified this line in CherryServer.cxf:

from: <sec:clientAuthentication want="true" required="true"/>
to:    <sec:clientAuthentication want="false" required="false"/>

And in InsecureClient.cxf i've added this:

    <http:tlsClientParameters disableCNCheck="true">
      <sec:trustManagers>
          <sec:keyStore type="JKS" password="password"
               file="certs/truststore.jks"/>
      </sec:trustManagers>
      <sec:cipherSuitesFilter>
        <!-- these filters ensure that a ciphersuite with
          export-suitable or null encryption is used,
          but exclude anonymous Diffie-Hellman key change as
          this is vulnerable to man-in-the-middle attacks -->
        <sec:include>.*_EXPORT_.*</sec:include>
        <sec:include>.*_EXPORT1024_.*</sec:include>
        <sec:include>.*_WITH_DES_.*</sec:include>
        <sec:include>.*_WITH_NULL_.*</sec:include>
        <sec:exclude>.*_DH_anon_.*</sec:exclude>
      </sec:cipherSuitesFilter>
    </http:tlsClientParameters>
   </http:conduit>

    <bean id="cxf" class="org.apache.cxf.bus.CXFBusImpl">
    </bean>

Now it works, without using a client certificate! (I only want to encrypt
the HTTP transport).

On thing that I've found doing this test is that the wsdl_first_https
sample doesn't work using jdk 6, neither using CXF v2.0.6 nor using CXF
v2.1!

Regards,

Agusti Dosaiguas

PS: Hope that this helps someone!

On Thu, Maig 15, 2008 15:51, Agustí wrote:
> Dear All,
>
> I can't find it in the docs.
>
> How can I configure CXF's embedded Jetty to only accept connections over
> HTTPS, but without the need of client certificates?
>
> I mean, like the wsdl_first_https, but without the need of a client
> certificate, I don't need to autheticate the client...
>
> Thanks,
>
> Agusti Dosaiguas
>
>